Share this story

Google shut down malicious Web attacks coming from a compromised advertising network on Friday. The move follows a security firm's analysis that found the ad platform, Zedo, serving up advertisements that attempted to infect the computers of visitors to major websites.

In an attack that ended early Friday morning, visitors to Last.fm, The Times of Israel, and The Jerusalem Post ran the risk of their computers becoming infected as Zedo redirected visitors' systems to malicious servers. Because the advertisements hosted on Zedo's servers were distributed through Google's Doubleclick, the attack reached millions of potential victims, Jerome Segura, senior security researcher at Malwarebytes Labs, told Ars.

Distributing malware through legitimate advertising networks, a technique known as "malvertising," has become an increasingly popular way to compromise the systems of consumers and workers alike.

Visitors to any site that hosted ads served up by the Zedo platform could have been infected with a downloader known as Zermot. Downloader programs are used by cybercriminals as the initial beachhead on computer systems, infecting the machines and allowing other software—everything from spam-sending bots to information-stealing trojans—to be uploaded to the compromised device.

The attack was stopped early Friday morning when Google broke ties with Zedo, according to Malwarebytes. Google confirmed that it took steps to stop the attack and that its servers were not compromised, but the company did not provide details of its actions.

"Can't get into specifics, unfortunately, but our team did shut it down," a spokesperson for the company said in response to e-mailed questions from Ars.

Zedo did not respond to a request for an interview.

Malvertising attacks have become a popular way to infect unsuspecting users' systems. In late August, for example, software and services firm Fox-IT alerted users that visitors to Oracle's Java.com, popular celebrity news site TMZ.com, art and illustration site Deviantart.com, and international news site IBTimes.com could have been infected via malicious content served up by a compromised advertising network. The attack used an exploit for Java—ironic, considering Java-owner Oracle's site was impacted by the rogue advertisements.

"Combating this malvertising technique is hard due to the large layered setup of the bidding platforms currently in place. It can be a malicious advertiser three layers down in the chain but it can also be on the first level," Fox-IT stated in its analysis of the late August attack. "Trust is the current system many advertisers use, but it seems to be insufficient for today’s malvertising campaigns and techniques, a new system needs to be implemented in order to combat them."

The most recent abuse of an advertising network appears to have ended. While it's uncertain how many Web users may have been impacted by the Zedo attack, Malwarebytes' Segura put the number of users that likely encountered a malicious advertisement in the millions.

"We rarely see attacks on a large scale like this, so we highly recommend that people keep their systems up-to date, with current antivirus and anti-malware protection," he stated in his analysis.

Share this story

Robert Lemos
Robert Lemos is an award-winning freelance journalist, on assignment as IT security correspondent for Ars Technica. A former research engineer, he covers malware, hacking, cybercrime and enterprise security technology for a number of publications, including Ars Technica, eWEEK, TechTarget and MIT Technology Review. Twitter@roblemos